Claude Code Prompt to Audit and Clean Up Dependencies

What this prompt does

This turns Claude Code into a dependency auditor that works against your real repo, not a generic checklist. It runs four ordered phases: it parses your [manifest_file] and lockfile to enumerate every direct and transitive package, greps [source_directory] to prove which ones are actually imported, then layers on a version and security pass (patch vs minor vs major, CVE and advisory cross-reference, abandonment flags) and a license-compliance pass against [project_license].

The reason it works is the ordering. Usage scanning comes first, so a package flagged "vulnerable" can also be flagged "unused" — and an unused vulnerable dep gets deleted instead of patched, which is the faster and safer fix. The [test_directory] vs production-dep distinction catches the classic mistake of shipping test tooling in prod. Because Claude reads the working directory, the "is this imported anywhere" answer is evidence-based, not guessed from the manifest alone.

The final phase forces a prioritized, executable plan: immediate removals, security patches, safe bumps, breaking upgrades (with what breaks named), and replacements for abandoned packages — each with the exact command, the files that may need edits, and a rollback command. The summary table plus a 1-10 health score give you a defensible before-and-after artifact.

When to use it

• Inheriting a codebase and you need a fast, honest read on dependency health before touching anything.
• Pre-release hardening — you want a clean security and license posture before a tagged version ships.
• Your install times or bundle size crept up and you suspect dead or duplicated packages.
• A npm audit or composer audit flagged CVEs and you need a prioritized fix order, not a wall of warnings.
• Compliance review: confirming no GPL/AGPL or unlicensed package snuck into an MIT or proprietary project.
• Quarterly maintenance where you batch safe patch and minor bumps and schedule the breaking ones deliberately.

Example output

Risk score: 6/10 - 2 unused deps, 1 high CVE, 4 safe bumps. ~45 min.

package    current   latest    status           action
lodash     4.17.19   4.17.21   CVE-2021-23337   PATCH NOW
moment     2.29.1    2.30.1    unmaintained     REPLACE -> date-fns
left-pad   1.3.0     1.3.0     unused           REMOVE
chalk      4.1.2     5.3.0     major ESM-only   HOLD - code change

1. Immediate removals
   npm rm left-pad        rollback: npm i [email protected]
2. Security patches
   npm i [email protected]   files: src/utils/merge.js

Pro tips

• Be precise with [source_directory] and [test_directory]. In a monorepo, point it at one package per run — a wildcard scan produces noisy "unused" false positives from cross-package imports.
• The "unused" flag is a strong signal, not gospel. Dynamic requires, plugin auto-loaders, and framework service discovery (Laravel package auto-discovery, for one) import without a literal statement, so sanity-check removals there before deleting.
• Set [language] deliberately so Phase 2 checks the right footguns: prototype pollution for JS, unsafe deserialization for PHP and Java, pickle for Python. It changes which advisories matter.
• Pair it with a clean git status and a passing test suite first, so every rollback command actually returns you to a known-good state. Run removals and patches as separate commits.
• For the breaking-upgrades list, ask it to also draft the codemod or the specific diff per file — the migration is usually where the real time goes, not the version bump.